Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
23/11/2021, 15:59
Static task
static1
Behavioral task
behavioral1
Sample
Proc.Eeletronicoyilg1707 03r9th.msi
Resource
win7-en-20211104
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Proc.Eeletronicoyilg1707 03r9th.msi
Resource
win10-en-20211104
0 signatures
0 seconds
General
-
Target
Proc.Eeletronicoyilg1707 03r9th.msi
-
Size
4.0MB
-
MD5
c937a24384d2a4117ba1edaf5bae2f63
-
SHA1
e413d38000e5e0a7b3998e20fb1623fe149ba5e3
-
SHA256
1d7cec07e9cffe08e3b79cc38e0f0e59720934a456657dcc994256b88e43dab0
-
SHA512
5e2390e8c7c4a0b2a5e57eb3832a6265e145dee0079c82d210604ff1f045cf98e2f7c6124fd26736a3fe4a39291cb004adcba2da9b8c35306401a622f1d90150
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 15 2380 MsiExec.exe -
Loads dropped DLL 3 IoCs
pid Process 2380 MsiExec.exe 2380 MsiExec.exe 2380 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIDD03.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE37C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE4F4.tmp msiexec.exe File created C:\Windows\Installer\f75db4d.msi msiexec.exe File opened for modification C:\Windows\Installer\f75db4d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeShutdownPrivilege 2564 msiexec.exe Token: SeIncreaseQuotaPrivilege 2564 msiexec.exe Token: SeSecurityPrivilege 2320 msiexec.exe Token: SeCreateTokenPrivilege 2564 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2564 msiexec.exe Token: SeLockMemoryPrivilege 2564 msiexec.exe Token: SeIncreaseQuotaPrivilege 2564 msiexec.exe Token: SeMachineAccountPrivilege 2564 msiexec.exe Token: SeTcbPrivilege 2564 msiexec.exe Token: SeSecurityPrivilege 2564 msiexec.exe Token: SeTakeOwnershipPrivilege 2564 msiexec.exe Token: SeLoadDriverPrivilege 2564 msiexec.exe Token: SeSystemProfilePrivilege 2564 msiexec.exe Token: SeSystemtimePrivilege 2564 msiexec.exe Token: SeProfSingleProcessPrivilege 2564 msiexec.exe Token: SeIncBasePriorityPrivilege 2564 msiexec.exe Token: SeCreatePagefilePrivilege 2564 msiexec.exe Token: SeCreatePermanentPrivilege 2564 msiexec.exe Token: SeBackupPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2564 msiexec.exe Token: SeShutdownPrivilege 2564 msiexec.exe Token: SeDebugPrivilege 2564 msiexec.exe Token: SeAuditPrivilege 2564 msiexec.exe Token: SeSystemEnvironmentPrivilege 2564 msiexec.exe Token: SeChangeNotifyPrivilege 2564 msiexec.exe Token: SeRemoteShutdownPrivilege 2564 msiexec.exe Token: SeUndockPrivilege 2564 msiexec.exe Token: SeSyncAgentPrivilege 2564 msiexec.exe Token: SeEnableDelegationPrivilege 2564 msiexec.exe Token: SeManageVolumePrivilege 2564 msiexec.exe Token: SeImpersonatePrivilege 2564 msiexec.exe Token: SeCreateGlobalPrivilege 2564 msiexec.exe Token: SeRestorePrivilege 2320 msiexec.exe Token: SeTakeOwnershipPrivilege 2320 msiexec.exe Token: SeRestorePrivilege 2320 msiexec.exe Token: SeTakeOwnershipPrivilege 2320 msiexec.exe Token: SeRestorePrivilege 2320 msiexec.exe Token: SeTakeOwnershipPrivilege 2320 msiexec.exe Token: SeRestorePrivilege 2320 msiexec.exe Token: SeTakeOwnershipPrivilege 2320 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2564 msiexec.exe 2564 msiexec.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2380 2320 msiexec.exe 71 PID 2320 wrote to memory of 2380 2320 msiexec.exe 71 PID 2320 wrote to memory of 2380 2320 msiexec.exe 71
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Proc.Eeletronicoyilg1707 03r9th.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2564
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 789DD4BD1A7883D490A734AA6407B6E82⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2380
-